SSL for different domains / sub domains pointing to one website on IIS 10.
We have a website that is hosted on a dedicated windows server. The domain has a SSL certificate associated with it.
The website is a rental website and we have some clients who have created sub domains like shop.xyz.com. This domain is pointed to our IP address in their DNS. Our firewall also has an entry for these domains. This way these clients can have their customers access our website using their branding and url. So for example we have a page:
www.ourdomain.com/store.asp?storeid=1
The same page can be accessed via shop.xyz.com/store.asp?sto
Similarly some clients have pointed their domain to our IPs in which case the above example becomes www.customer2.com/store.asp?storeid=2, 2 being the store id for customer2 and www.customer2.com being the domain owned by customer2.
We now have to put SSL for these sub domains /domains which is creating a problem. The limitations are:
1. We cannot create sites for these sub domains as the site www.ourdomain.com uses some objects that can only be initialized once. So multiple copies of the website cannot work.
2. Since we cannot create these sites in IIS, the sites are virtual sites with mapping done in firewall.
Looking forward to your approach and solutions.
Question is how can we install SSL certificates for these sub domains.
The website is a rental website and we have some clients who have created sub domains like shop.xyz.com. This domain is pointed to our IP address in their DNS. Our firewall also has an entry for these domains. This way these clients can have their customers access our website using their branding and url. So for example we have a page:
www.ourdomain.com/store.asp?storeid=1
The same page can be accessed via shop.xyz.com/store.asp?sto
Similarly some clients have pointed their domain to our IPs in which case the above example becomes www.customer2.com/store.asp?storeid=2, 2 being the store id for customer2 and www.customer2.com being the domain owned by customer2.
We now have to put SSL for these sub domains /domains which is creating a problem. The limitations are:
1. We cannot create sites for these sub domains as the site www.ourdomain.com uses some objects that can only be initialized once. So multiple copies of the website cannot work.
2. Since we cannot create these sites in IIS, the sites are virtual sites with mapping done in firewall.
Looking forward to your approach and solutions.
Question is how can we install SSL certificates for these sub domains.
ASKER
David, thanks for your reply. No it is not word press site. The client sites are in word press but our domain is in classic ASP. And there is no question of renaming anything. The question is simple: Given that there are several domains that call our custom website and use some kind of basic URL rewrite that is taken care of at our firewall level, is it possible to install SSL certificate for these domains. If so, where would they be installed. The limitation is that we cannot create copy of our website code and create new websites.
You need just one SSL certificate - you can use a list of Subject Alternative Names (list of all the FQDN web site names) that the website will support or possible a wildcard certificate and configure the web site via IIS Management Console on the web sites bindings for HTTPS.
ASKER
Hi Peter, Yes I have been thinking about the same. I am also doing a PoC on another line. Will let you know what happens.
1) You asked, "is it possible to install SSL certificate for these domains".
The answer is yes... if... big if... you control access to all domains + also how you generate the certs.
For example, if you use LetsEncrypt + have access to each site's DocumentRoot, you can setup sites in a matter of a few minutes/site to generate the initial cert, then setup a CRON job to auto renew all certs forever... well... so long as you continuing having access to DocumentRoot of each site.
If you use other means of generating certs, you must have either access to each site's DNS or potentially the whois registered email address, as each cert authority operates with slightly different rules.
2) You also asked, "where would they (certs) be installed".
Each site cert must be installed in the site's Webserver config, so to accomplish your goal you must also have edit access to each site's config + admin access to restart each Webserver on initial cert generation, then each time certs are renewed.
Note: Using Linux + LetsEncrypt, all this takes a couple of minutes to setup, then 1 minute/new domain setup, then auto-renewals occur forever, hands free. With other approaches, depending on numbers of sites, this process may require many hours each month to setup + maintain.
There's just to little information provided in your question.
For me, managing 1000s of certs, I require the 100% hands free approach, else I'd have to hire an army of people doing manual setups/renewals.
The answer is yes... if... big if... you control access to all domains + also how you generate the certs.
For example, if you use LetsEncrypt + have access to each site's DocumentRoot, you can setup sites in a matter of a few minutes/site to generate the initial cert, then setup a CRON job to auto renew all certs forever... well... so long as you continuing having access to DocumentRoot of each site.
If you use other means of generating certs, you must have either access to each site's DNS or potentially the whois registered email address, as each cert authority operates with slightly different rules.
2) You also asked, "where would they (certs) be installed".
Each site cert must be installed in the site's Webserver config, so to accomplish your goal you must also have edit access to each site's config + admin access to restart each Webserver on initial cert generation, then each time certs are renewed.
Note: Using Linux + LetsEncrypt, all this takes a couple of minutes to setup, then 1 minute/new domain setup, then auto-renewals occur forever, hands free. With other approaches, depending on numbers of sites, this process may require many hours each month to setup + maintain.
There's just to little information provided in your question.
For me, managing 1000s of certs, I require the 100% hands free approach, else I'd have to hire an army of people doing manual setups/renewals.
ASKER
@David - As stated in the question it is windows server. Having said that, IIS does not allow SSL certs to be installed in web server config file. For windows, the certs are automatically renewed and as long as you have the private key, there is never an issue. And if you have lost it, you could always generate a fresh csr or repair the cert.
Question is very simple. Is there a way to install SSL certs on virtual sites i.e. sites that do not physically exist but are configured to point to another site through firewall.
Question is very simple. Is there a way to install SSL certs on virtual sites i.e. sites that do not physically exist but are configured to point to another site through firewall.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
For example, if you're using WordPress, then running a simple command line command to rename all database data to new site + changing the Webserver config means this can normally be accomplished in a few minutes.
If you're running custom code... with hardcoded URLs (database + .php files) then you may have a massive amount of work required to support this type of change.
Note: This is not a firewall mapping issue. This is an HTTPS layer type of work.
There's nothing you can do outside your HTTPS + database layer to accomplish what you're after.
At your firewall you can certainly rewrite requests + this will likely break application layer code, since...
Firewall Layer != Application Layer